Securing Web Services - Research

I've been looking for a few hours now for a "quick and easy" solution at securing the Dokeos web services, but I have still to go through a whole lot of technical details. Looking for help (at avoiding so much reading work), I have sent an e-mail to the php-general mailing-list, hoping for an answer. Because this e-mail is the result of considerable search efforts, I'm saving it here. Somehow it might very well help somebody trying to do the same...
From:     Yannick Warnier To:     PHP General Subject:     [PHP] Securing web services Date:     Sun, 22 Feb 2009 13:04:37 -0500 Hi there, Another Web Service related question. Obviously, Google gives me enough hints to find *many* documents on the topic (searching for "securing web services"), but I am developing open-source soft and I'd like to secure my web services to the maximum without forcing the user to use HTTPS/SSL (the generation of buying of a certificate is not what our lambda users can do). Following the very nice table on page 32 of http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf using a combination of XML Encryption and XML Signature would provide a cover for almost all security risks related to providing web services. This article: http://webservices.xml.com/pub/a/ws/2003/01/15/ends.html also goes away from the SSL method and *talks* about XML-DSIG and WS-Security, but that's out of PHP context. Finally, the following article talks about NuSOAP and the SetCredentials method, which is probably the closest I can get to secure web services using existing PHP code. Would anybody out here have gotten further and be able to tell me how they did it? Thanks, Yannick
Interesting links on this topic: http://webservices.xml.com/pub/a/ws/2003/01/15/ends.html (with links to http://www.w3.org/Signature/ and http://www.w3.org/Encryption/2001/) http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf